none
Cannot add trusted domain members after replacing a DC

    Question

  • We replaced a remote Windows 2008R2 domain controller a few months ago, but this problem just surfaced. We have a two-way trust with a sister company, but this DC will not allow us to add members from that remote domain to permissions. It will allow us to select the remote domain, but it won't allow us to pick or resolve any of the users in that remote domain. What may we have overlooked?
    • Moved by Yagmoth555MVP Wednesday, March 22, 2017 2:09 AM Moving, as it will get better attention in the DS's forum
    Tuesday, March 21, 2017 4:12 PM

Answers

  • I'm not sure what the prior DNS config was on the old server. I found that I couldn't ping the remote host by name. I compared to another DC with the same scenario and I added a secondary FLZ and that resolved the issue.
    • Marked as answer by JimCass Wednesday, March 22, 2017 2:04 PM
    Wednesday, March 22, 2017 2:04 PM

All replies

  • Hi,
    Could you find any detail error message or event logs for this problem?
    In addition, you could also run the following command tools on each domain controller to see if we could get more information to help troubleshooting the problem.
    -> DCDIAG /V /C /D /E /s: dcname > c:\dcdiag.log ,
    -> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
    Generllay, when we add a computer in a domain, we need point that computer to its DC’s IP address as DNS, please also check that.
    Alternatively, please make sure that your account which is used to add computer has the proper privilege to do that.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com


    Wednesday, March 22, 2017 2:19 AM
    Moderator
  • I'm seeing Netlogon 5719 errors saying that the new DC was not able to setup a secure session with a DC in the remote domain. The account I'm using to execute the commands is an Enterprise admin. I ran the commands from the DC in question; the dcdiag log worked fine, but the repl log generated the error below. How do I get the log files to you?

    ---

    C:\Temp>repadmin.exe /showrepl dc* /verbose /all /intersite
    Repadmin experienced the following error trying to resolve the DSA_NAME: dc*
    If you are trying to connect to an AD LDS instance, you must use <server>:<port>

    If you are trying to connect to an AD LDS instance with wildcarding support, you
     must use the /homeserver option.
    Error: An error occurred:
        Win32 Error 8419(0x20e3): The DSA object could not be found.

    C:\Temp>

    ---

    Wednesday, March 22, 2017 1:01 PM
  • I'm not sure what the prior DNS config was on the old server. I found that I couldn't ping the remote host by name. I compared to another DC with the same scenario and I added a secondary FLZ and that resolved the issue.
    • Marked as answer by JimCass Wednesday, March 22, 2017 2:04 PM
    Wednesday, March 22, 2017 2:04 PM